quinn 0.10.1

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `quinn`

Dependencies

(12 total, 2 outdated, 2 possibly insecure)

Crate	Required	Latest	Status
async-io	`^1.6`	`2.3.2`	out of date
async-std	`^1.11`	`1.12.0`	up to date
bytes	`^1`	`1.6.0`	up to date
futures-io	`^0.3.19`	`0.3.30`	up to date
pin-project-lite	`^0.2`	`0.2.14`	up to date
quinn-proto ⚠️	`^0.10`	`0.10.6`	maybe insecure
rustc-hash	`^1.1`	`1.1.0`	up to date
rustls ⚠️	`^0.21.0`	`0.23.5`	out of date
thiserror	`^1.0.21`	`1.0.59`	up to date
tokio	`^1.28.1`	`1.37.0`	up to date
tracing	`^0.1.10`	`0.1.40`	up to date
quinn-udp	`^0.4`	`0.4.1`	up to date

Dev dependencies

(12 total, 2 outdated)

Crate	Required	Latest	Status
anyhow	`^1.0.22`	`1.0.82`	up to date
bencher	`^0.1.5`	`0.1.5`	up to date
clap	`^4`	`4.5.4`	up to date
crc	`^3`	`3.2.1`	up to date
directories-next	`^2`	`2.0.0`	up to date
rand	`^0.8`	`0.8.5`	up to date
rcgen	`^0.10.0`	`0.13.1`	out of date
rustls-pemfile	`^1.0.0`	`2.1.2`	out of date
tokio	`^1.28.1`	`1.37.0`	up to date
tracing-futures	`^0.2.0`	`0.2.5`	up to date
tracing-subscriber	`^0.3.0`	`0.3.18`	up to date
url	`^2`	`2.5.0`	up to date

Security Vulnerabilities

`quinn-proto`: Denial of service in Quinn servers

RUSTSEC-2023-0063

Receiving QUIC frames containing a frame with unknown frame type could lead to a panic. Unfortunately this is issue was not found by our fuzzing infrastructure.

Thanks to the QUIC Tester research group for reporting this issue.

`rustls`: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input

RUSTSEC-2024-0336

If a close_notify alert is received during a handshake, complete_io does not terminate.

Callers which do not call complete_io are not affected.

rustls-tokio and rustls-ffi do not call complete_io and are not affected.

rustls::Stream and rustls::StreamOwned types use complete_io and are affected.